The present invention relates generally to cryptographic protocols and, more particularly, to a time-stamping protocol for time-stamping digital documents.
There are times when it is desirable to prove the existence of a document as of a particular date. For example, patent disputes concerning the inventorship of an invention often turn on who is able to produce corroborating documentary evidence dating their conception of the invention. A common procedure for dating records is to keep the records in a daily journal or notebook with each page sequentially numbered and dated. Another procedure for dating a record is to have the record witnessed by an uninterested or trusted party that can attest to the existence of the document. The increasing use of computers, however, makes these time-stamping methods obsolete. It is relatively easy to change the date-stamp added to a document by the computer when the document was created. Further, while it is difficult to alter a paper document without leaving some signs of tampering, digital records can be easily altered or revised without leaving any evidence of tampering. Therefore, people are less likely to trust a digital document than a paper document that has been time-stamped using conventional time-stamping procedures.
To be trusted, a time-stamping procedure for digital documents should meet the following criteria:
1. The data itself must be time-stamped, without any regard to the physical medium on which it resides.
2. It must be impossible to change a single bit of the data without that change being apparent.
3. It must be impossible to timestamp a document with a date and time different than the current date and time.
One method for time-stamping a digital document would be to archive the document with a trusted escrow agent. In this case, the document originator sends a copy of the digital document to a trusted escrow agent. The escrow agent records the date and time that the document was received and retains a copy in his archives. Later, if a dispute arises over the date of the document, the document originator can contact the escrow agent who produces his copy of the document and verifies that it was received on a particular date. This time-stamping procedure has a number of drawbacks. First, the document originator must disclose the contents of the document to the escrow agent. Also, large documents take a relatively long period of time to transmit to the escrow agent and they require a large amount of data storage.
An improvement of the escrow procedure is to use a hash of the document. Instead of sending the document to the escrow agent, the document originator hashes the document using a one-way hash algorithm and sends the generated hash value to the escrow agent. The escrow agent stores the hash value along with the date and time that it was received in his archives. Later the document originator can use the services of the escrow agent to prove the existence of the document as of a particular date. The disputed document can be hashed and the resulting hash value can be compared to the hash value stored by the escrow agent in his archives for equality. If the hash values are equal, the document is presumed to be in existence as of the date associated with the stored hash value. One advantage of this method is that the document originator does not need to disclose the contents of the document to the escrow agent.
The need to escrow the document or hash value can be eliminated by having a time stamping authority generate a certified time stamp receipt using a cryptographic signature scheme as taught in U.S. Pat. No. Re. 34,954 to Haber et al. and Fischer, U.S. Pat. No. 5,001,752. In this case, the document originator hashes the document and transmits the hash value to the time stamping authority. The time stamping authority appends the current date and time to the hash value to create a time stamp receipt and digitally signs the time stamp receipt with a private signature key. The time stamping authority""s public verification key is distributed and available to anyone interested in validating a time stamp receipt created by time stamping authority. The public verification key is typically stored in a public key certificate signed by a Certification Authority so that anyone desiring to validate the time stamp receipt with the public key can have confidence in the authenticity of the key.
Another approach to time stamping documents is disclosed in PCT WO 99/16209 entitled Method and System For Transient Key Digital Time Stamps. In this application, time stamp receipts are signed by the time stamping authority using transient, time-related keys. The time-stamping authority periodically generates a signature generation key, which is valid for a predetermined interval of time. Documents received during the specified time interval are signed using the key corresponding to that interval. At the end of the interval, a new key is generated for the next interval and the previously used key is discarded. In this manner, a new signature generation key is generated at a predetermined interval of time. The public verification key associated with each private signature generation key is saved for future authentication of the time stamp receipt.
The present invention is a time-stamping protocol for time-stamping digital documents so that the date of the document can be verified. The method presumes the existence of a trusted agent referred to herein as the time-stamping authority (TSA). According to the present invention, the TSA maintains a plurality of public and private key pairs that are used to sign and verify documents. Each key pair is associated with a predetermined time interval. The document originator creates a time stamp receipt by combining the document or other identifying data proving the substance of a document with a time indication. The document originator sends the time stamp receipt to the TSA. After validating the time stamp receipt, the TSA computes the age of the time stamp receipt and uses the computed age to select a key pair. The time stamp receipt is then signed by the time stamping agent using the private signature key from the selected key pair.